|
Oh shut up i thought you have unsubscribed from
this list ?
You claim that your imaginary people work for
microsoft,
so why dont you simply tell them to act up instead
of
annoying everyone here on FD. Stop pretending and
get lost.
Inofficial patches are not evil no matter what you think about them.
You have no clue anyway....do you even know what a
patch is ?
Unofficial patches are just ment as initial help
until a proper patch
is out, not for
mission critical systems. Microsoft needs time to
develope a proper patch as they can't simply throw together a patch,
but also have to test if it wont break any existing software etc as
windows is so windely used on tons of different platforms and along
with so many Software products, that they have to make sure its all
stable. Sure they cant always have perfect results,
but if you have
to bitch so much about it, why dont you write a
proper patch?
oh yes i forgot, you
can't code.......
Another funny thing you said to someone:
"There you go on assuming my knowledge base,
even though i've
been around the security scene longer than
you."
Well i remember your old mails where you bragged
about having
+6 years expirience in the security field. so you came around
1999/2000 ..i started in 1994, so i can lay down
the same attitude
on you kiddie, isnt it? Besides of that, it
doesnt matter if you hang
on irc since 20
years, it matters what you did in that time.
Others learn and improove, while you just try to look cool with
your
imaginary group, yet you still expect that someone takes you serious here.
----- Original Message -----
Sent: Tuesday, March 28, 2006 8:46
PM
Subject: Re: [Full-disclosure] Security
Alert: Unofficial IE patches appear oninternet
On 3/28/06, Matthew
Murphy <[EMAIL PROTECTED]> wrote:
-----BEGIN
PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Newsflash, idiot:
you're not the first one to think of this. Plenty of
people
at Microsoft beat you to the punch. When the threat
environment
created by a vulnerability is as serious as this case and the
available
code-independent workarounds (i.e., other than patches) are so
poor,
Microsoft will be inclined strongly against holding on to this
patch.
Matthew firstly starts off his rant by claiming n3td3v is an idiot and
then uses some clever words to talk about something thats not entirely clear,
but I guess what he is trying to say is hidden inbetween his wording.
I'd
venture to bet that Microsoft will make this patch available as soon
as
they're confident in the quality of it. Their first patch day is,
at
this point, nothing more than a benchmark. They might beat
it but they
almost certainly won't fall short of it unless there are
major quality
issues.
You would venture to bet? Theres no betting involved. They do only
release a patch after Q.A testing. Although they can in certain situations
bring forward a patch sooner. Its not about beating a patch day. Microsoft
often have patches ready but wait for the corporate known about Tuesday and
Thursday press release days that all corporations globally adhere to in the
world of security and otherwise.
The
other thing that you obviously have no clue of is that even a
release on
patch Tuesday is "out-of-cycle" as far as Microsoft's test
processes are
concerned. Microsoft normally issues IE patches on a two
month
cycle -- February, April, June, August, October, December.
The other thing I "obviously" have no clue about? There you go on
assuming my knowledge base, even though i've been around the security scene
longer than you. Sure, Microsoft have a "comfortable" release cycle, although
thats just to space everything out in their minds as a corporation. Remember
the days before Microsoft started patch tuesday? Yeah, they would release
critical patches whenever they see fit. To me the mistake was that they
started "Patch Tuesday", so as a corporation, even though its a good thing for
normal bug fixes to be issues only once monthly, it makes it harder for
Microsoft to release a patch out of cycle for "critical flaws". You seem to
think theres not employees at Microsoft who don't want to release patches
inbetween patch tuesday. You're wrong, behind the scenes at Microsft right now
theres loads of people saying, "we want to release inbetween patch tuesday for
critical flaws, but because we've invented patch tuesday for flaws generally,
the more we do release patches inbeween patch tuesday, the more it weakness to
our patch tuesday policy" "We think patch tuesday is good, but it restricts us
to push out patches inbetween that, because we want to keep credibility to our
patch release day for all other flaws". So you see, its not that Microsoft
don't agree with out of cycle patch releases, its just they don't want to
spoil their overall patch tuesday policy. Microsoft don't like to send out
mixed messages, so until the higher folks at MS start listening, then patch
tuesday will continue to pose a threat for when critical remote access flaws
come along.
You
can bet that they don't release patches for non-public
vulnerabilities
with a mere 20 days of testing (and that assumes they
started on the
patch the day the issue was published). When I reported
a
vulnerability in August that was (originally) scheduled for a
bulletin,
Microsoft said that if it made a bulletin, the earliest would
be
December. That was just shy of four months, and they weren't
even
certain it would make that release cycle. Microsoft
doesn't have that
kind of time here, and it's a damn sure bet that they
aren't taking it.
We're not talking about non-public flaws! I'm talking about 0-day that
goes into the wild, where exploit code is then release, and where media hype
is created and then eeye and the others create a bigger security issue than
the intial flaw.
Some
good documentation on Microsoft's patch development processes (and
how
they vary for products) would help you avoid this ignorant and
noobish
mistake and put an end to ignorant media reporting about how
Microsoft is
sticking to its schedule with this patch -- which couldn't
be much
further from the truth.
Microsoft are about to relase out of its cycle again for this IE
vulnerability, accroding to my contacts.The patch tuesday policy is only just
a new thing, they would before release a patch at any time of their choosing.
Because of patch tuesday, it now makes it more difficult for them to break
this, as you would know if you had worked for a multinational before, they
don't like to backtrack on a policy which is more than acceptable for non
critical flaws, its only the issues of critical flaws hitting the wild, where
exploit code is released, where media hype is created and then where folks
like eeye release a patch, which will only ever be avaiable to the security
community and all of its malicious users, where script kids can patch systems
for their own evil agendas, and or also seperate, phishers can release bogus
eeye patches, or release a patch under another name with malicious code
inserted, a lot of the time to execute another malicious code, unrelated to
the intial exploit code vulnerability.
I
guess it's easier to bash Microsoft for made-up, delusional reasons
like
"they're standing and watching while people get 0wn3d!" than for
the
real reasons (i.e., a six-month "standard procedure" patch
process).
Those in the latter category actually require some work to
understand,
and apparently don't give people the instant ego boost of
thinking
they're "taking on the monopoly".
NO, i'm not anti-Microsoft, lots of my friends work there. The only evil
is folks like eEye providing tools (patches) to the security community, where
legitimate users will never get a hold of, but you can bet malicious users
will and use the patch to their advantage.
Microsoft only ever releases out of its new patch tuesday cycle when eeye
and all the others release third party patches. If you really were pro
Microsoft, you would be behind me in calling for all third party patches to be
slammed as a bad thing for Microsoft and the security community and the public
at large. Theres folks at Microsoft in complete agreement at what i'm saying.
Who agree, like me, that patch tuesday is a good thing normally, but as soon
as the evil third patches are released, then Microsoft has no choice but to
release out of cycle.
If you had contacts at Microsoft like I do, you would realise everything
i'm saying is in line with what individuals within ms are thinking.
Patch Tuesday = Good before third party patches appear
Third party patch = Evil
Patch Tuesday = Bad for everyone after third party patches appear, even
Microsoft, because they hate breaking out of the Patch Tuesday policy, even
though a lot of athe time a patch is ready for distrubution, Microsoft don't
want to break out of company policy, even though indviduals at Micrsoft wish
it was easier for a multinational to backtrack on its policy for critical
*public 0-day*
_______________________________________________
Full-Disclosure - We
believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
by Secunia - http://secunia.com/
|
